Don't offer or allow viewing of an HTML version of a request if it is hidden, or requester_only. Google docs viewer won't be able to access it, and our own conversion process currently produces image files that will then be publicly viewable. If necessary we can revisit this code to enable admins and requesters to view the HTML version created by our own conversion without adding these files to a path that is served directly by the web server.

1 files changed, 15 insertions, 0 deletions

diff --git a/spec/controllers/request_controller_spec.rb b/spec/controllers/request_controller_spec.rb
index f40eecfff..e8f93b8fa 100644
--- a/spec/controllers/request_controller_spec.rb
+++ b/spec/controllers/request_controller_spec.rb
@@ -859,6 +859,21 @@ describe RequestController, "when changing prominence of a request" do
         response.should render_template('request/hidden')
     end
 
+    it 'should not generate an HTML version of an attachment whose prominence is hidden/requester
+        only even for the requester or an admin but should return a 404' do
+        ir = info_requests(:fancy_dog_request)
+        ir.prominence = 'hidden'
+        ir.save!
+        receive_incoming_mail('incoming-request-two-same-name.email', ir.incoming_email)
+        session[:user_id] = users(:admin_user).id
+        lambda do
+            get :get_attachment_as_html, :incoming_message_id => ir.incoming_messages[1].id,
+                                      :id => ir.id,
+                                      :part => 2,
+                                      :file_name => ['hello.txt']
+        end.should raise_error(ActiveRecord::RecordNotFound)
+    end
+
 end
 
 # XXX do this for invalid ids